A CSR requests a certificate from a higher authority, where a self-signed cert is just that–the device that will be using that certificate, generates it for itself.

If you want a web site certificate (for example) for a site that will be available publically, then that cert has to be trusted by the person visiting the site. If you use a self-signed cert for that site, then the users who visit the site will have to import that cert into one of their own cert stores (Trusted Root Certification Authorities, Trusted Publishers, Trusted People, etc.)

Instead, if you want to use a cert generated by a Certificate Authority (your own internal domain CA, some 3rd-party public CA such as Verisign, GlobalSign, GoDaddy (& others), then you will apply certain information into a template file for the type of use the cert will be used for, and generate the CSR from that. Once the CA issues you the cert, the file they return to you must be linked to the original request, on the server where the request came from.

Certificates can be generated in several different ways (cmd line tools, web tool, MMC) and which one you use will depend on the ‘authority’ issuing the cert. For any public 3rd-party CAs, their web sites usually have simple instructions for how their request works. If you’re going to use an internal CA inside your own organization, whoever admins that CA should be able to help you.

thanks for your response, but still confusing, you answer was a bit generic about CA and CSR,

my question is, if you have a Web Service and want to bind it to HTTPs, assume you dont have a self-signed certificate configured yet,

if you come to generate a CSR, will the system automatically issue a self-signed certificate for you for that service ?
or you can’t generate a CSR unless the self-signed certificate is created previously ?

it might be the question is stupid, I dont know, but I have very basic skills in digital certificates :)

CSR requests and CA and IIS and SSL are somewhat a PITA for me. its just a convoluted and abstract process, especially with so many different types of servers, i.e. Apache and IIS and Cloud Hosted AWS/GoDaddy… i usually refer to some of the walk-thrus from SSL companies.. i like the digicert pages as they have a decent explanation and instructions that are generic enough to apply to other vendors… check out their page for instructions on how to complete the process. you can check out a couple and it will give you the basic idea of how to complete the process. once you get it done the first time, its easier… just google with the specifics of what youre using and you should be able to find a walk-thru.

The system won’t issue anything for HTTPS. You have to generate a CSR for that service for it to be secure.

Basically, if you are going down the route of an internal ROOT CA then this is what would happen

On the computer that you want the certificate for, lets say HTTPS and IIS as that is what you have mentioned, you would use the IIS MMC to generate a CSR.
This is basically a system generated text file that contains a heap of information from the details that you have entered.

If you are using a local Trusted ROOT CA then you load the CSR into the relevant web page for the CA and wait for it to be approved by your local admin
Once approved you then return to the CA web page and retrieve your certificate, which you can then use to secure your website.

However if you need an externally secure certificate, i.e. it is trusted externally to your org, you would need to use a company like GoDaddy to request the certificate from. This still uses the same CSR file that you generated earlier.

So to sum up you can generate a CSR quite happily on any system you have however you MUST then use either an internal CA or an external CA to generate the certificate for you. The CSR is essentially just a text file that does nothing until you use a CA to generate the certificate.

In addition to the previous notes, after re-reading this thread, I think you may have missed a point: the certificate you use for your secure web site will be EITHER a self-signed cert that is generated on the server itself (hence the name self-signed), OR the cert is the result of going thru the CSR process. And that CSR will be answered either by an internal Certificate Authority (CA) that your domain has stood up, or it will be answered when you submit the CSR to a public provider, suggested previously. So as Ossian said, we need to know more about the site you’re trying to secure: is it in a workgroup or an internal domain where you have total control, or is it for a page that is to be hosted on the public Internet? That answer will determine how you should proceed, and we can advise you better.